Azure Kubernetes (AKS) SDN connector using client secret

Azure SDN connectors support dynamic address groups based on Azure Kubernetes (AKS) filters.

To enable an Azure SDN connector to fetch IP addresses from Azure Kubernetes:
  1. Configure the Azure SDN connector:
    1. Go to Security Fabric > External Connectors.
    2. Click Create New, and select Azure.
    3. Configure as shown substituting the region, tenant and client IDs, and client secret for your deployment. See Azure SDN connector service principal configuration requirements.

      Screenshot of SDN connector configuration for Azure AKS

  2. Create a dynamic firewall address for the configured K8s SDN connector:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New, then select Address.
    3. From the Type dropdown list, select Dynamic.
    4. From the Sub Type dropdown list, select Fabric Connector Address.
    5. From the SDN Connector dropdown list, select the desired SDN connector.
    6. In the Filter field, add the desired filter. The following filters are supported:




      Name of Kubernetes cluster.


      Namespace of a Kubernetes service or pod.


      Name of a Kubernetes service.


      Name of a Kubernetes node.


      Zone of a Kubernetes node.


      Region of a Kubernetes node.


      Name of a Kubernetes pod.

      Name of label of a Kubernetes resource (cluster/service/node/pod).

      In this example, the address is configured to automatically populate and update IP addresses only for instances that belong to the zhmKC cluster:

      Screenshot of Azure Kubernetes setup displaying the creation of dynamic firewall address

  3. Ensure that the K8s SDN connector resolves dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address created in step 2 to see a list of IP addresses for instances that belong to the zhmKC&nbs